This is the text from that page, for readers convenience:
IE Chromeless Windows Vulnerability Demonstration
"An interesting thread developed over the weekend on BugTraq about a flaw in IE (all the way up through version 6 SP1) revolving around the exploitability of "chromeless" windows. Chromeless windows are screen objects that do not have the normal borders and
other controls attached to them. As such, they can easily be placed anywhere on the screen, and (here is the problem) be made to obscure or even change important messages from the system.
I present, for your consideration, the following web site (it is not malicious, but you must wait for the ActiveX control to finish loading): Exploit Demo.
If everything went according to plan, and you have Medium or lower security set on your browser, you got a nice system alert that offered to "enable enhanced security for your system".
Do us a favor, and drag that dialog box around. If you didn't just wet your pants, you reacted better than I first did.
Chromeless windows can be made to obscure all sorts of things. Like putting a little gold lock in the browser's status bar, even if the site is not actually SSL-enabled. Or how about obscuring the site you are on, making you think you are on your bank's
site, when instead you are on www.Hackers-R-Us.com.
The dangers of chromeless windows were first reported nearly 2 years ago by George Guninski. However, Microsoft considers the issue to be "low-risk", and it continues to be exploitable on out-of-the box installations of any OS containing Internet Explorer,
Looks like this got fixed in sp2 which is atleast a step in the right direction.
also doesnt seem to affect browsers based on IE engine like myIE.
Posted on site
------------------------------------------------------------------------- #re: IE Chromeless Windows Vulnerability Demonstration 5/8/2004 10:16 PM
Branton I just went to the exploit site with XPSP2 and this is what happened:
1.) IE didn't allow the site to install software on my computer
2.) I allowed IE to install ActiveX controls from the page and got the message: Windows has blocked this software because it can't verify the publisher.
So even if the publisher was verifiable, the user would have to take action in order to install the control. It isn't done automatically anymore.
i LOVE chromeless windows
a different way to make INTERFACES
by service pack 2
i hate sp2
* i dont use this functionality malitiously
only with full user permission
** Should Mozilla or Konqueror decide to offer FULLSCREEN kiosk mode - like IE - USE - to,,, im there
the more you TAKE away - the more your devs of 12 yrs go AWAY
stop the saddam land grab - and go after osama
- sp2 is a farce
- a land grab
- an option remover
please fire jim alchin and all these points would be moot
Lars said: "chromeless windows should never have been allowed in the first place."
perhaps lars.. but they were.. and now they are not
= loss of functionality and user rights
no other way to put it
here today - gone tomorro
you know...all you genius programers may want to take a look at this sp2 stuff from an interface developers view.
SP2 removes all chances of a one click new interface to cover windows - fullscreen the whole bit. there is a status bar and a top toolbar now.
im sure many of you are all cheering: "Yay! no more taking over my screen!"
but my point all along is : i never did that - i said "click here for fullscreen version"
but even this has been REMOVED now
thats what i dont like
I am begining to get suspicious of the above poster 'Jamie' Because:
- Has posted previous complaints about SP2.
- Has made Forum posts that don't even have to do with anything relevent to Channel 9 (or otherwise called "Developer Central")
- I think he is a Hacker, Because he wants Chromeless windows even when there is a huge risk associated with it.
I too am suspicious LoadsGood ... or should i say ( ba ba ba bumm STEVE BALMER!
I think Jamies funny. I find amusement in trying to figure out if he is drunk or not.
hey, im in marketing.. hic*
I have read jamie's posts as well and while I understand (or at least think I understand) that he is concerned about user options being chopped away for the sake of "security", I really do think that the good outweights the bad when it comes to stuff like
I'm not foolish enough to click on a dialog that says "Click OK to secure your computer", specially if I'm browsing the web but I definately know people who would click on it without knowing the mess they are getting into. As so, I think getting rid of this
"feature" is for the general benefit of all.
Another thing to understand is that while there is complaining going on about Windows restricting users and limiting their options in an attempt to secure their computers, I believe this actually gives users more options. They can now choose between having
a computer running easily exploitable services and features, or having a tightly sealed system. It then allows them to open up only exactly what they want, thus giving them the option to configure their system how they best see fit.
I like the thought Windows locking itself down and I think any software that can expose potential security threats should also be locked down out of the box. When you buy new software, you generally don't know how to work the entire package which means you
never truly know you have secured it correctly until you learn its every option inside out. If the program is fully locked down, you know exactly what the vulnerabilities are since you enabled the settings yourself and you can better prepare for any exploits
as you know the vector of attack your offenders would take.
I can see this 'fix' breaking a number of programs, including some of mine, if it kills the functionality found in the SetLayeredWindowAttributes API call. For example, I used this extensively in a Point-of-Sale application to allow custom dialogs for
finger action rather than mousing. Many games also use this method for non-standard dialogs as well as several media players and so forth.
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.